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Abstract. We present a general framework for constructing families 
of elliptic curves of prime order with prescribed embedding degree. We 
demonstrate this method by constructing curves with embedding de- 
gree k = 10, which solves an open problem posed by Boneh, Lynn, and 
Shacham |SJ. We show that our framework incorporates existing con- 
structions for k = 3, 4, 6, and 12, and we give evidence that the method 
is unlikely to produce infinite families of curves with embedding degree 
k > 12. 



1 Introduction 

A cryptographic pairing is a bilinear map between two groups in which the 
discrete logarithm problem is hard. In recent years, such pairings have been 
applied to a host of previously unsolved problems in cryptography, the most 
important of which are one-round three-way key exchange |13| . identity-based 
encryption [S], and short digital signatures 

The cryptographic pairings used to construct these systems in practice are 
based on the Weil and Tate pairings on elliptic curves over finite fields. These 
pairings are bilinear maps from an elliptic curve group E(¥ q ) to the multiplica- 
tive group of some extension field ¥ q k . The parameter k is called the embedding 
degree of the elliptic curve. The pairing is considered to be secure if taking 
discrete logarithms in the groups E(¥ q ) and ¥* k are both computationally in- 
feasible. 

For optimal performance, the parameters q and k should be chosen so that 
the two discrete logarithm problems are of approximately equal difficulty when 
using the best known algorithms, and the order of the group #E(F q ) should 
have a large prime factor r. For example, a pairing is considered secure against 
today's best attacks when r ~ 2 160 and k ~ 6-10, depending on the application. 
In order to vary the security level or adapt to future improvements in discrete 
log technology, we would like to have a supply of elliptic curves at our disposal 
for arbitrary q and k. 

Many researchers have examined the problem of constructing elliptic curves 
with prescribed embedding degree. Menezes, Okamoto, and Vanstone Jl] showed 
that a supersingular elliptic curve must have embedding degree k < 6, and fur- 
thermore k < 3 in characteristic not equal to 2 or 3. Miyaji, Nakabayashi, and 



Takano |15j have given a complete characterization of ordinary elliptic curves of 
prime order with embedding degree fc = 3, 4, or 6, while Barreto and Naehrig 
|2] give a construction for curves of prime order with k = 12. There is a gen- 
eral construction, originally due to Cocks and Pinch JS], for curves of arbitrary 
embedding degree k, but in this construction the sizes of the field ¥ q and the 
subgroup of prime order r are related by q ~ r 2 , which leads to inefficient im- 
plementation. Recent efforts (cf. [7], ^UJ) have focused on reducing the ratio 
p = log qj log r for arbitrary k, but no additional examples have been found 
with p small enough to allow for curves of prime order. 

The focus of this paper is the construction of ordinary elliptic curves of 
prime order with prescribed embedding degree. In SectionEJwe present a general 
framework for constructing such curves and give conditions under which this 
method will give us infinite families of elliptic curves. The method is based on 
the Complex Multiplication method of curve construction and is implicit 
in the constructions of several other researchersl. Our contribution is to gather 
all of the relevant results in one place and to define terminology that makes it 
apparent that these various constructions are all instances of the same general 
method. 

Our main contribution appears in Section |3 where we show how the method 
of Section[21can be used to construct curves with embedding degree k = 10. We 
give examples of such curves over fields of cryptographic size, solving an open 
problem posed by Boneh, Lynn, and Shacham [Jj]. 

In Section 0] we show how the existing constructions of elliptic curves of 
prime order with embedding degree fc = 3, 4, 6, or 12 can be explained via the 
framework of Section [21 In Section [S] we show that for k > 6, our method is 
not likely to give additional infinite families of elliptic curves with the specified 
embedding degree. We note, however, that examples of such families exist for 
fc = 10 and k = 12, and we ask in Sectional if such examples can be constructed 
in a systematic fashion. 
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2 A Framework for Constructing Pairing-Friendly 
Elliptic Curves 

In this section we describe a general framework for constructing elliptic curves 
of a given embedding degree k. This framework is implicit in the constructions 
of Miyaji, Nakabayashi, and Takano Barreto, Lynn, and Scott PP; Cocks 
and Pinch jS] (as explained in 0]); and Brezing and Weng J2J. After stating 
the relevant results, we define terminology that will allow us to show that these 
constructions are all specific cases of the same general method. 

To construct our elliptic curves, we parameterize the number of points on 
the curve and the size of the field of definition by polynomials n(x) and q(x), 
respectively. For each xo that gives prime values for n(xo) and q(xo), we can 
use the Complex Multiplication method to construct an elliptic curve with the 
desired properties. The main result of this section is Theorem 12.71 which gives 
a criterion for the existence of infinite families of such good parameters. 

We begin by giving a formal definition of embedding degree. 

Definition 2.1. Let E be an elliptic curve defined over a finite field ¥ q , and let 
n be a prime dividing #E(¥ q ). The embedding degree of E with respect to n is 
the smallest integer k such that n divides q k — 1 . 

Equivalently, k is the smallest integer such that ¥ q k contains /j, n , the group of 
nth roots of unity in ¥ q . We often ignore n when stating the embedding degree, 
as it is usually clear from the context. 

If we fix a target embedding degree fc, we wish to solve the following problem: 
find a prime (power) q and an elliptic curve E defined over ¥ q such that n = 
f/=E(¥ q ) is prime and E has embedding degree k. Furthermore, since we may 
wish to construct curves over fields of different sizes, we would like to be able to 
specify (approximately) the number of bits of q in advance. 

We follow the strategy of Barreto and Naehrig [2] in parameterizing the 
trace of the curves to be constructed. Namely, we choose some polynomial t(x), 
which will be the trace of Frobenius for our hypothetical curve, and construct 
polynomials q(x) and n{x) that are possible orders of the prime field and the 
elliptic curve group, respectively. More precisely, if q{xo) is prime for some xq, 
we can use the Complex Multiplication method [H], 53 to construct an elliptic 
curve over ¥ q ( Xo j with n(xo) points and embedding degree k. 

Theorem 2.2. Fix a positive integer k, and let ^fc(x) be the kth cyclotomic 
polynomial. Let t(x) be a polynomial with integer coefficients, let n(x) be an 
irreducible factor of <L>k{t{x) — 1), and let q{x) = n{x) + t(x) — 1. Let f(x) = 
^q{x) — t(x) 2 . Fix a positive square-free integer D, and suppose (xq,uq) is an 
integer solution to the equation Dy 2 — f(x) for which 

1. q(xo) is prime, and 

2. n(xo) is prime. 



If D is sufficiently small, then there is an efficient algorithm to construct an 
elliptic curve E defined over ¥ q ^ Xo ^ such that E(¥ q ^ Xo ^) has prime order n(xo) 
and E has embedding degree at most k. 

Proof. By hypothesis, we have a solution {x ,y ) to the equation Dy 2 = f(x) 
for which q(xo) is prime. If D is sufficiently small then the construction of an 
elliptic curve E over F 9 ( a;o ) with #E(F q r Xo \) — n(xo) is standard via the Complex 
Multiplication method; see [3] or JS| f° r details. Since n(x ) is prime, E(¥ q / Xo ' ) ) 
has prime order, and it remains only to show that E has embedding degree at 
most k. Barreto, Lynn, and Scott ^| Lemma 1] show that E having embedding 
degree k is equivalent to n(xo) dividing <Pk(t(xo) — 1) and n(xo) not dividing 
$i(t(xi) — 1) for i < k. Since we have chosen the polynomial n(x) to divide 
$k(t(x) — 1), n(xo) is guaranteed to divide q(xo) h — 1, and the embedding degree 
of E is thus at most k. □ 

Remark 2.3. The fact that n(x) does not divide <&i(t(x) — 1) as polynomials for 
i < k does not guarantee that n(xo) does not divide <Pi(t(xo) — 1) as integers 
for some i < k. However, this latter case will be rare in practice, and thus the 
embedding degree of a curve constructed via the method of Theorem 12.21 will 
usually be k. 

Remark 2.4- If we wish to construct curves whose orders are not necessarily 
prime but merely have a large prime factor, we may relax condition (2) of the 
theorem accordingly, and the same analysis holds. 

In practice, to construct an elliptic curve with embedding degree k one 
chooses polynomials t(x), n(x), and q(x) satisfying the conditions of Theorem l2.2l 
and tests various values of a: until n(x) and q(x) are prime. If the distributions of 
the values of the polynomials n(x) and q(x) are sufficiently random, the Prime 
Number Theorem tells us that we should have to test roughly logn(xi) log (7(2:1) 
values of x near x\ until we find an xq that gives a prime value for both polynomi- 
als. Since the distribution of prime values of polynomials is not well understood 
in general, it will be hard to prove theorems that explicitly construct infinite 
families of elliptic curves of prime order. Rather, we will be slightly less ambi- 
tious and search for polynomials as in Theorem 12 . 21 that will give us the desired 
elliptic curves whenever the polynomials take on prime values. We incorporate 
this approach into the following definition. 

Definition 2.5. Let t(x), n{x), and q(x) be polynomials with integer coeffi- 
cients. For a given positive integer k and positive square-free integer D, the 
triple (t, n, q) represents a family of curves with embedding degree k if the fol- 
lowing conditions are satisfied: 

1. n(x) — q{x) + 1 — t{x). 

2. n(x) and q(x) are irreducible. 

3. n(x) divides <Pk(t(x) — 1), where <Pk is the kth cyclotomic polynomial. 

4- The equation Dy 2 — Aq(x)—t(x) 2 has infinitely many integer solutions (x, y). 



Defining a family of curves in this way gives us a simple criterion for con- 
structing elliptic curves with embedding degree k. This criterion is implicit in 
the Barreto-Naehrig construction of curves with k — 12 and D = 3 2 . 

Corollary 2.6. Suppose (t,n,q) represents a family of curves with embedding 
degree k for some D. Then for each xq such that n(xo) and q{xo) are both prime, 
there is an elliptic curve E defined over ¥ q r Xo \ such that ^E(¥ q ( XQ }) is prime, 
and E has embedding degree at most k. 

In practice, for any t{x) we can easily find n(x) and q(x) satisfying conditions 
(1), (2), and (3) of Definition ^. 51 the difficulty arises in choosing the polynomials 
so that Dy 2 = Aq(x) — t(x) 2 has infinitely many integer solutions. In general, if 
f(x) is a square-free polynomial of degree at least 3, then there will be only a 
finite number of integer solutions to the equation Dy 2 — f(x) (cf. Proposition 
I2.10|l . Thus we conclude that (t,n,q) can represent a family of curves only if 
f{x) has some kind of special form. 

We now show that if f(x) is quadratic, then one integral solution to the 
equation Dy 2 — f(x) will give us infinitely many solutions. This is the technique 
that Miyaji, et al. ^H] use to produce curves with embedding degree 3, 4, or 
6, and we will use the same technique in Section [3] to construct curves with 
embedding degree 10. The idea is as follows: we complete the square to write the 
equation Dy 2 = f(x) as u 2 — D'v 2 = T for some constant T, and observe that 
(u, v) is a solution to this equation if and only if u + v^/Ty has norm T in the real 
quadratic field Q(^/ly). By Dirichlet's unit theorem, there is a one-dimensional 
set of norm-one integral elements of this field; multiplying each of these units by 
our element of norm T gives an infinite family of elements of norm T . We then 
show that a certain fraction of these elements can be converted back to solutions 
of the original equation. 

Theorem 2.7. Fix an integer k > 0, and choose polynomials t(x), n{x), q(x) £ 
1\x\ satisfying conditions (1), (2), and (3) of Definition \2. b\ Let f{x) = Aq(x) — 
t(x) 2 . Suppose f(x) ~ ax 2 + bx + c, with a, 6, c € Z, a > 0, and b 2 — Aac ^ 0. 
Let D be a square-free integer such that aD is not a square. If the equation 
Dy 2 = f(x) has a solution (xQ,yo) in the integers, then (t,n,q) represents a 
family of curves with embedding degree k. 

Proof. Completing the square in the equation Dy 2 = f(x) and multiplying by 
4a gives 

aD(2y) 2 = (2ax + b) 2 - (b 2 - Aac). (2.1) 

If we write aD = D'r 2 with D' square-free and make the substitutions u = 
2ax + 6, v — 2ry, T = b 2 — Aac, the equation becomes 

u 2 - D'v 2 = T. (2.2) 

Note that since aD is not a square, we have D' > 1. 



Under the above substitution, a solution (xo,yo) to the original equation 
Dy 2 — f{x) gives an element uq + v^^/ly of the real quadratic field Q(v A D') 
with norm T. Furthermore, this solution satisfies the congruence conditions 



uq = b (mod 2a) 
Vq = (mod 2r). 



(2.3) 



We wish to find an infinite set of solutions (u, v) satisfying the same congruence 
conditions, for we can transform such a solution into an integer solution to the 
original equation. To find such solutions we employ Dirichlct's unit theorem 17 
§1.7], which tells us that the integer solutions to the equation a 2 — D' 1 — 1 are 
in one-to-one correspondence with the real numbers a+pVW = ±(ao+fto V^D 7 )™ 
for some fixed (ao, (3q) and any integer n. The real number ao + fln^fiy is either 
a fundamental unit of the real quadratic field Q(v^D') or (if the norm of the 
fundamental unit is —1) the square of a fundamental unit. 

Reducing the coefficients of ao + PoVD' modulo 2a gives an element z = 
a + f3 x of the ring 

Z/2aZ[a;] 



R 



(x 2 - D') ' 



(2.4) 



Furthermore, since (ao + f3o\Ty)(ao — Po\D^) = 1, z is invertible in R, i.e. 
z G R*. Since R* is a finite group of size less than 4a 2 , there is an integer 
m < 4a 2 such that z m = 1 in R*. 1 Lifting back up to the full ring Z[\/ZX], we 



see that (ao + /3oVD') m = aa + PivD' for integers ax, Pi satisfying 



ax = 1 (mod 2a), 
/3x = (mod 2a). 

Now for any integer n we can compute integers (u, v) such that 
u + v^Jly = (u + v \^D'){a 1 + PxJuy 1 . 



(2.5) 



(2.6) 



We claim that (u,v) satisfy the congruence conditions l|2.3() . To see this, let 
a n + f3 n ^/iy = (ai+f3i\fiy) n . The conditions (|2.5|l imply that a n = 1 (mod 2a) 
and fin = (mod 2a) . Combining this observation with the formulas 



u = a n u + P n v Q D' 
V = a n VQ + p n uo, 



(2.7) 



: Vq (mod 2a). Furthermore, vq = 
D'r 2 and D is square- free), so we 



we see that u = Uq = b (mod 2a) and v 
(mod 2r) and 2r divides 2a (since aD = 
conclude that v = (mod 2r). 

The new solution (tt,u) thus satisfies the congruence conditions (|2.3|l . Any 
integer n gives such a solution, so by setting x — (u — 6) /2a and ?/ = v/2r for 

1 In fact, since z is an element of the norm-one subgroup of R* , m is bounded above 
by 2 s a, where s is the number of distinct primes dividing 2a. A more detailed study 
of the group R* appears in an earlier draft of this paper 



each such (u, v), we have generated an infinite number of integer solutions to 
the equation Dy 2 = f(x). This is condition (4) of Definition 12.51 by hypothesis 
(t, n, q) satisfy conditions (1), (2), and (3), so we conclude that (t, n, q) represents 
a family of curves with embedding degree k. □ 

Remark 2. 8. More generally, we may find an infinite family of curves in the case 
where /(x) = g(x) 2 h(x), with h(x) quadratic. Specifically, if we let y = y'g(x), 
then given one integral solution (x, y') to the equation Dy' 2 = h{x) we may use 
the method of Theorem 12. 71 to find an infinite number of solutions. However, we 
currently know of no examples for which f(x) is of this form. 

Theorem 12.71 tells us that if f(x) is quadratic and square-free, we may get 
a family of curves of the prescribed embedding degree for each D. If f{x) is 
instead a linear function times a square, then we may still get a family of curves, 
but for only a single D. This is the method that Barreto and Naehrig |2] use to 
construct curves with k = 12 (see Section POty . 

Proposition 2.9. Fix an integer k > 0, and let n(x), t{x), and q(x) be poly- 
nomials in Z[x] satisfying conditions (1), (2), and (3) of Definition EOl Let 
f(x) = Aq(x) — t(x) 2 , and suppose f(x) — {Ax + D)g{x) 2 for some positive in- 
teger D and some polynomial g(x). Then (t,n,q) represents a family of curves 
with embedding degree k. 

Proof. For any integer v, we set x — ADv 2 + 2Dv and let y — (Av + l)g(x). An 
easy computation shows that (x, y) is a solution to the equation Dy 2 = f(x), so 
if D is square-free then condition (4) is satisfied for the integer D. If D is not 
square-free then we may absorb its square factors into y, and condition (4) is 
satisfied for the largest square-free factor D 1 of D. □ 

We conclude this section with a partial converse to Theorem 12. 71 namely, if 
the degree of fix) is at least 3, then we are unlikely to find an infinite family of 
curves. 

Proposition 2.10. Let (t,n,q) be polynomials with integer coefficients satisfy- 
ing conditions (1), (2), and (3) of Definition \2.6\ and let f(x) — 4q(x) — t{x) 2 . 
Suppose f(x) is square-free and deg/(x) > 3. Then (t,n,q) does not represent 
a family of elliptic curves with embedding degree k. 

Proof. Since /(x) is square-free (i.e. has no double roots) and has degree at least 
3, the equation Dy 2 — f(x) defines a smooth affine plane curve of genus g > 1. 
By Siegel's Theorem (cf. Theorem IX. 4. 3] and §1.2] ) such curves have a 
finite number of integral points, so condition (4) is not satisfied. □ 

3 Elliptic Curves with Embedding Degree 10. 

In this section, we use the method of Section |3 and Theorem 12. 71 in particular, 
to construct elliptic curves of prime order with embedding degree 10. Our key 



observation is that since the hypotheses of Theorem 12 . 71 rea uire f(x) — An(x) — 
(t(x) — 2) 2 to be quadratic, we should choose n(x) and t(x) in such a way that 
the high-degree terms of t{x) 2 cancel out those of 4n(ar); in particular, the degree 
of t(x) must be half the degree of n(x). We have discovered that for k = 10 there 
is a choice of n(x) and t(x) such that this is possible. The resulting construction 
of elliptic curves with embedding degree 10 solves an open problem posed by 
Boneh, Lynn, and Shacham 6, §4.5]. 

We begin by recalling that to construct a curve with embedding degree k, we 
must choose the number of points n(x) and the trace t(x) such that n(x) is an 
irreducible factor of <Pk(t(x) — 1), where <Pk is the fcth cyclotomic polynomial. If 
k = 10 and t(x) is linear then <I>).(t(x) — 1) is an irreducible quartic polynomial, 
so there is no hope of f(x) = 4n(x) — (t(x) — 2) 2 being quadratic. If k = 10 
and t(x) is quadratic, Galbraith, McKee, and Valenga show that in this case 
<Pk {t{x) — 1) cither is irreducible of degree 8 or factors into two irreducible quartic 
polynomials. They then show that there is an infinite set of t(x) such that the 
latter occurs, and that these t{x) are parameterized by the rational points of 
a certain elliptic curve. By experimenting with some of the examples given by 
Galbraith, et al., we discovered that t(x) = 10a; 2 + 5x + 3 leads to a quadratic 

/(*)■ 

Theorem 3.1. Fix a positive square-free integer D relatively prime to 15. De- 
fine t(x), n{x), and q(x) by 

t(x) = 10a; 2 + 5x + 3 

n{x) = 25a; 4 + 25a; 3 + 15a; 2 + 5a; + 1 

q(x) = 25a; 4 + 25a; 3 + 25a; 2 + 10a; + 3. 

// the equation u 2 — 15Dv 2 — —20 has a solution with u = 5 (mod 15), then 
(t,n,q) represents a family of curves with embedding degree 10. 

Proof. It is easy to verify that conditions (l)-(3) of Definition ^. 5l hold. Condition 
(4) requires an infinite number of integer solutions to Dy 2 = f(x), where f{x) = 
4g(a;) — i(a;) 2 . The key observation is that for this choice of t and n, 

f(x) = Aq(x) - t(x) 2 = 15a; 2 + 10a; + 3. (3.1) 

Multiplying by 15 and completing the square transforms the equation we wish 
to solve into 

D'y 2 = (15a; + 5) 2 + 20, (3.2) 

where D' = 15D. Integer solutions to this equation correspond to integer solu- 
tions to u 2 — D'v 2 = —20 with u = 5 (mod 15). By Theorem 12.71 if one such 
solution exists then an infinite number exist, so (t,n,q) represents a family of 
curves with embedding degree 10. □ 

To use the above result to construct curves with embedding degree 10, we 
choose a D and search for solutions to the equation u 2 — \hDv 2 — — 20 that give 
prime values for q and n. The following lemma, proposed by Mike Scott, speeds 
up this process by restricting the values of D that we can use. 



Lemma 3.2. Let q(x) be as in Theorem \3.1\ If (x,y) is an integer solution to 
Dy 2 = 15x 2 + lOx + 3 such that q(x) is prime, then D = 43 or 67 (mod 120). 

Proof. If x = or 2 (mod 3) then q(x) is divisible by 3, while if x is odd then 
q(x) is even. Thus if q{x) is prime, then x = 4 (mod 6). 

To deduce the stated congruence for D, we consider the equation Dy 2 = 
15x 2 + lOx + 3 modulo 3, 5, and 8. To begin, we have Dy 2 = x = 1 (mod 3), 
so D = 1 (mod 3). Next, we have Dy 2 = 3 (mod 5), so y 2 = 1 or 4 (mod 5) 
and D = 2 or 3 (mod 5). Finally, since x is even we see that Dy 2 = 3 (mod 8), 
and thus y 2 = 1 (mod 8) and D = 3 (mod 8). Combining these results via the 
Chinese remainder theorem, we conclude that D = 43 or 67 (mod 120). □ 

After reading an earlier draft of this paper [TI], Mike Scott used Theorem 
13. II and Lemma 13.21 to find examples of elliptic curves with embedding degree 10 
via the following algorithm. 

1. Choose a D such that 15D is square-free and D = 43 or 67 (mod 120). 

2. Find solutions (u, v) to the equation u 2 — l5Dv 2 — — 20. 

3. For each solution (u, v): 

(a) If u is too large (e.g. > 128 bits), go to the next solution. 

(b) If u ee ±5 (mod 15), then 

i. Let x = (-5±u)/15. 

ii. If q{x) and n(x) are prime, output (D, x) 

(c) Multiply u + vylbD by a norm-one element of Q(vIKD) to get a new 
u, and return to step (a). 

4. Increase D and return to step (1). 

For each (D, x) output by the algorithm, Scott used the Complex Multiplica- 
tion method (cf. [3], |16|) to construct an elliptic curve over ^q( x ) whose number 
of points is n(x). By Theorem 12 . 21 this curve has embedding degree at most 10, 
and in practice we find that the embedding degree is exactly 10. Below are two 
examples of elliptic curves constructed in this manner. 

Example 3.3. (A 149-bit curve.) Choosing D = 1666603 and running the above 
algorithm produces the following example. Let q, n, A, B be as follows: 

q = 503189899097385532598615948567975432740967203 
n = 503189899097385532598571084778608176410973351 
A = -3 

B = 78778770898368212452154728282767760988008151. 

Then q and n are 149-bit prime numbers such that the curve y 2 = x 3 + Ax + B 
defined over ¥ q has n points. Since n \ q 10 — 1 and n j q l — 1 for % < 10, this 
curve has embedding degree 10. 



Example 3.4- (A 196-bit curve.) Choosing D — 579003643 and running the 
above algorithm produces the following example. Let q, n, A, B be as follows: 



q = 61099963271083128746073769567944870354270161646150914794603 
n = 61099963271083128746073769567450502219087145916434839626301 

A = -3 

B = 1112775869471458154129950648198203893613615552476491488167. 

Then q and n are 196-bit prime numbers such that the curve y 2 = x 3 + Ax + B 
defined over ¥ q has n points. Since n \ q la — 1 and n \ q l — 1 for % < 10, this 
curve has embedding degree 10. 

4 Elliptic Curve Families with Small Embedding Degree 

In this section we show how the existing constructions of ordinary elliptic curves 
of prime order with embedding degree 3, 4, or 6 |15| or embedding degree 12 |2j 
can be explained via the framework of Section |3 The former uses Theorem 12 .71 
while the latter employs Proposition 12. 91 

4.1 MNT Elliptic Curves 

Miyaji, Nakabayashi, and Takano JS] have classified all ordinary elliptic curves 
of prime order with embedding degree 3, 4, and 6. Their theorem is as follows: 

Theorem 4.1 ([15 ). Let E be an ordinary elliptic curve over ¥ q such that 
fj=E{¥ q ) = n = q + 1 — t is prime and E has embedding degree k = 3, 4 ; or 6. 
Then there exists an integer x such that t, n, and q are of the form specified in 
the following table: 



k 


t 


n 


q 


3 


-l±6x 




Ux 2 T 6x + 1 




12x 2 - 1 


4 


—x or x + 1 


x 2 


+ 2x + 2 or x 2 ^ 


- 1 


x 2 +X+1 


6 


l±2x 




Ax 2 =F 2x + 1 




Ax 2 + 1 



This theorem fits into the framework of Section |21 as follows. To find an 
infinite family of curves via Theorem 12. 71 we require f(x) to be quadratic. Since 
deg<Pk(x) = 2 for k = 3, 4, or 6, if we let t(x) be any linear polynomial and n(x) 
be the (irreducible) quadratic <Pk{t{x) — 1) (with any constant factor divided 
out), then f(x) = 4n(x) — (t(x) — 2) 2 is quadratic. If q(x) = n(x) + t(x) — 1 
is also irreducible and the equation Dy 2 — f(x) has one solution, then (t, n, q) 
satisfy the hypotheses of Theorem l2 . 71 and thus represent a family of curves with 
embedding degree k. Miyaji, et al. arrive at their stronger result by using the 
fact that f^E{¥ q ) is prime to show that any values of t, n, and q that give rise 
to such a curve must be of the specified form. 



4.2 Elliptic Curves with Embedding Degree 12 



Finally, we note that the Barreto-Naehrig construction [2] of curves with em- 
bedding degree 12 falls under the case of Proposition 12. 91 Specifically, if t(x) = 
6x 2 + l, then<Pi 2 (t(a;)-l) = n(x)n(-x), where n(x) = 36a; 4 +36a; 3 + 18a; 2 +62;+l, 
and 

f(x) = An(x) - (t(x) - 2) 2 = 3(6x 2 + Ax + if. (4.1) 

Since q(x) = 36a; 4 + 36a; 3 + 12a; 2 + 6.x + 1 is also irreducible, Proposition 12.91 
tells us that if we set D — 3, then (t, n, q) represents a family of curves with 
embedding degree 12. 

5 Higher Embedding Degrees 

To construct families of elliptic curves with prescribed embedding degree, the 
method of Section [21 requires us to find an infinite number of integer solutions 
to an equation of the form Dy 2 = f(x). In this section, we give evidence that in 
general the degree of f(x) is large, and thus by Proposition ^. lOl we are unlikely to 
find an infinite family of curves. We begin with a lemma that restricts the possible 
degrees of the polynomial n(x); the lemma generalizes a result of Galbraith, et 
al. |121 Lemma 1]. 

Lemma 5.1. Fix k, let t{x) be a polynomial, and let n(x) be an irreducible 
factor of <Pk{t{x) — 1). Then the degree of n is a multiple of(p(k), where (p is the 
Euler phi function. 

Proof. Suppose t(x) has degree d, so deg<£fc(i(a;) — 1) = dip(k). Let 9 be a 
root of n(x), and let w = t{9) — 1. Then ^fe(w) = 0, so u> is a primitive fcth 
root of unity. We thus have the inclusion of fields Q(9) D Q(^) 3 Q- Since 
[Q(0) : Q] = degn(a;) and [Q(u>) : Q] = ip(k), we conclude that <p(k) divides 
degn(a;). □ 

The key observation that allowed us to construct families of elliptic curves 
with embedding degree 10 was that if f(x) is quadratic and n{x) has degree 
greater than 2, then the polynomial t(x) must be chosen so that the high degree 
terms of t(x) 2 cancel out those of 4n(x). The following proposition shows that 
this is in fact the only way to construct such families. 

Proposition 5.2. Suppose (t,n,q) represents a family of curves with embedding 
degree k, and suppose further that f(x) = An(x) — (t(x) — 2) 2 is square-free. If 
ip(k) > 4, then 

degt(x) = ^degn(x) = ^degq(x). (5.1) 

Furthermore, if a is the leading coefficient oft(x), then a 2 /A is the leading coef- 
ficient of n{x) andq(x). 



Proof. Since ip(k) > 4, by Lemma |5.1l deg n(x) > 4, and since /(x) is square- 
free, by Proposition 12. 1UI dee fix) < 2. Since f{x) — An{x) — (t(x) — 2) 2 , we 
conclude that degt(x) = ^degn(x), and since n(x) = q(x) + 1 — t(x), we see 
that degn(a;) = degq(x). The observation about the leading coefficients follows 
immediately. □ 

As an immediate corollary, we see that if k > 6 (so ip(k) > 4) then choosing 
a linear t[x) will not in general give us an infinite family of curves, whereas if 
k > 12 (so <p(k) > 6) then choosing a quadratic t(x) will not in general give us 
an infinite family of curves. 

Proposition 15 . 21 tells us that for embedding degrees k with tp(k) > 4, to find 
an infinite family of curves we will have to choose t(xo) of degree at least 2 such 
that <j>k{t{x) — 1) is not irreducible. Galbraith, McKee, and Valenga ^2 observe 
that this is hard even for quadratic t(x), and as the degree increases the problem 
will only become more difficult. An alternative would be to choose t and n such 
that f{x) has a square factor; this appears to be just as difficult, but has not 
been studied in depth. 



6 Conclusion 

We have seen in Section [2 that the current methods for constructing families 
of elliptic curves of prime order with prescribed embedding degree can all be 
subsumed under a general framework. In Section we showed how this frame- 
work can be used to construct curves with embedding degree 10 and we gave 
examples of such curves, which have not previously appeared in the literature. In 
Section 01 we showed how this framework incorporates the existing constructions 
for embedding degrees 3, 4, 6, and 12. 

In Section [5] we showed that our method can only produce an infinite family 
of curves if a certain polynomial f(x) either is quadratic or has a square factor. 
These two conditions have been achieved for k = 10 and k = 12, respectively, but 
these two examples appear to be special cases, and in general we have not found 
a way to achieve either of these two conditions. The success of our method in 
producing curves with embedding degree greater than 12 depends on our ability 
to control the behavior of f(x), which leads to the following important open 
problem. 

Problem 6.1. Given an integer k such that <p(k) > 4, find polynomials t(x) and 
n(x) such that 

1. n(x) is an irreducible factor of <&f.(t(x) — 1), where is the fcth cyclotomic 
polynomial, and 

2. f(x) = An(x) — (t(x) — 2) 2 is either quadratic or of the form g(x) 2 h(x), with 
degh(x) < 2. 
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